[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Expiry based on traffic (kilobytes)
Angelos,
There is a further complication in IPSEC SA's established by ISAKMP: the
SA's are unidirectional but ISAKMP only negotiates one bi-directional set
of values. We can presume I suppose this means the same lifetime byte
limit goes on both unidirectional SA's, but it seems to me it should be
made explicit in ISAKMP, or rather in the IP DOI.
John B.
At 04:35 PM 10/4/97 EDT, Angelos D. Keromytis <angelos@dsl.cis.upenn.edu>
wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>In message
<c=US%a=_%p=TimeStep_Corpora%l=TSNTSRV2-971003191816Z-2690@tsntsrv2.
>timestep.com>, Roy Pereira writes:
>>[1] Do we add all of the IP packet, or just the section that the SA
>>secured (since an IP packet might have more than one SA transform it).
>>[2] Do we also add up the byte count from incoming packets?
>>[3] If so, do we count all of the packet, or just the section that was
>>protected by the SA?
>
>[1] Just the section that the SA secured; if the SA includes both
>encryption and authentication, then only the encrypted bytes should be
>counted.
>
>[2] Incoming packets correspond to a different SA (since we have one
>SA for each direction). You count those for their respective SA. Or
>did i misunderstand the question ?
>
>[3] Same as [1]
>
>Cheers,
>- -Angelos
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3i
>Charset: noconv
>Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
>
>iQCVAwUBNDaokL0pBjh2h1kFAQGxpgP+JziqHKrx+tUO0T0tLvTenjRaqS1ZtKER
>HpL99SbixfZ+4S1UA3LmNse5izAXeGdiAr1ZDoS09B5XhkIW47jXF9EDvQ0o32Ce
>E8qJV6o6ByzaquFj+NtNrSxmRgHwhfAlL4aT1XtdsDimlhx0tBBDWIZ0XtsvGyOw
>241P1SQxVPk=
>=WCIe
>-----END PGP SIGNATURE-----
>
>
Follow-Ups: